How to pass Sp entityId from Idp to Shibboleth Sp?
Peter Schober
peter.schober at univie.ac.at
Tue Dec 15 03:55:55 EST 2015
* Abdul Waheed <waheedtechblog at gmail.com> [2015-12-14 18:48]:
> I have deployed one application which is protected by Shib and after
> authentication I am passing uid as Shib header to my application,I am
> passing uid as assertion from IdP and mapping it in attibute_map.xml file
> at SP side.
> So now my requirement is to pass Shib entityId,Idp entityId along with uid.
> So I need all these three paramenters in my application so that I can
> perform some operation.
I wonder if you need entityID because uid is only unique within the
asserting party (i.e., the IDP)? If so that's a very comon scenarion
and the reason why people don't use uid in federated use-cases at all.
Instead just use an identifier that's defined to be globally unique,
such as eduPersonPrincipalName (which many IDPs create dynamically
from uid + @ + their canonical DNS domain; see the eduPerson spec for
more: http://macedir.org/specs/eduperson/#eduPersonPrincipalName ).
Or use SAML2 persistent NameIDs.
(Those already contain the entityID of the asserting IDP and of the
recieving SP, as well as some opaque part identifying the subject.)
Or use email addresses.
Or eduPersonUniqueId, as per
http://macedir.org/specs/eduperson/#eduPersonUniqueId
All of thse are defined to be globally unique, without requiring to
tie them to the issuer / asserting IDP.
-peter
More information about the users
mailing list